Re: [PATCH] nwfilter: fix typing error in filter

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 01/11/2012 12:42 PM, Stefan Berger wrote:
> Fix a typing error in the no-ip-spoofing filter.
> Return DHCP request packets passing through this filter. Have
> the user use another filter to actually allow DHCP requests to be
> sent (action='accept').
> 
> ---
>  examples/xml/nwfilter/no-ip-spoofing.xml |    6 +++---
>  1 file changed, 3 insertions(+), 3 deletions(-)
> 
> Index: libvirt-acl/examples/xml/nwfilter/no-ip-spoofing.xml
> ===================================================================
> --- libvirt-acl.orig/examples/xml/nwfilter/no-ip-spoofing.xml
> +++ libvirt-acl/examples/xml/nwfilter/no-ip-spoofing.xml
> @@ -1,7 +1,7 @@
> <filter name='no-ip-spoofing' chain='ipv4-ip' priority='-710'>
> - <!-- allow DHCP requests -->
> - <rule action='accept' direction='out' priority='100'>
> - <ip srcipaddr='0.0.0.0' protocol='udp' srcportstart='68'
> srcportend='68'/>
> + <!-- allow DHCP requests sent from 0.0.0.0 -->
> + <rule action='return' direction='out' priority='100'>

I see how the action='accept' vs. action='return' makes a difference
here, if the user has other rules after calling this filter that they
still want to use.

> + <ip srcipaddr='0.0.0.0' protocol='udp' srcportstart='68'
> dstportstart='67'/>

but I'm a bit lost as to why srcportend='68' needs to be changed to
dstportstart='67'.  Assuming you can explain this change, then

ACK.

Meanwhile, this file under examples/ differs from the text in
formatnwfilter.html.in which also defines a filter named no-ip-spoofing;
is that a discrepancy where the docs should be updated to accurately
describe what is our best state-of-the-art in the examples, or is it
something where we should just mention in the docs that the docs are
shorter versions for discussion, and to see examples/ for a more
complete version.  But fixing that can be a separate patch.

-- 
Eric Blake   eblake@xxxxxxxxxx    +1-919-301-3266
Libvirt virtualization library http://libvirt.org

Attachment: signature.asc
Description: OpenPGP digital signature

--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list
[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]